Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    A few months after the case of the missing Malaysia Airlines Flight 370, the world was shocked again with another tragic news involving the crash of Malaysia Airlines 777 (also known as MH17) over Ukraine that killed nearly 300 passengers and crew members. As with past incidents, cybercriminals are quick to take advantage of the said tragedy that occurred last July 17, 2014.

    During our investigation, just a few hours after Malaysia Airline tweeted at 23:36, July 17 “Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukrainian airspace. More details to follow,” we came across some suspicious tweets written in Indonesian:




    Figures 1-3: Screenshots of tweets pointing to malicious domains

    It seems that the URLs are used in a kind of spam where the most talked about topic/hashtag in Twitter is gathered so that it can be easily searched by users. Once clicked by users, their URL count increases. The.TK URLs resolve to the following IPs:

    • 72[dot]8[dot]190[dot]126
    • 72[dot]8[dot]190[dot]39

    Based on our analysis, these two IPs are verified to be webhosting/shared IP located in the US. The said IPs are mapped to multiple domains. Some of these domains are malicious while there are other legitimate normal domains hosting blogs.  We surmise that this spam is for gaining hits/page views on their sites or ads.

    On the other hand, the malicious domains associated with these IPs, are connected to a ZeuS variant detected as TSPY_ZBOT.VUH and SALITY malware. ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.

    Cybercriminals always ride the bandwagon of tragic news and incidents. In the past, we’ve seen several scams and threats that leveraged news of typhoon Haiyan, the Boston marathon, and 2011 tsunami/earthquake in Japan among others. We expect that as soon as more details of the MH17 crash unfolds, cybercriminals will launch other attacks that may possibly lead to personal information theft and system infection. Users are highly recommended to remain vigilant for threats that could leverage this news.  Trend Micro protects users from such threats via its Smart Protection Network that blocks all-related malicious URLs and detects malicious files.

     With analysis from Jon Oliver,  Rhena Inocencio, Maersk Menrige, and Arabelle Ebora

    Update as of July 18, 2014, 4:05 P.M. PDT:

    The tweets in question used the hashtag #MH17 which was the top trending hashtag on Twitter yesterday.

    Update as of July 22, 2014, 12:29 P.M. PDT:

    We spotted a suspicious message on Facebook that also leverages the said tragic news. When unsuspecting users open the link, http://{BLOCKED}, it will point to sites with scam ads or free download of video installer. Trend Micro this detects as ADW_BRANTALL.  It also allows users to post the link on their Facebook even before they get to view the supposedly video. Note, however that this particular sample is not related to the ADW_BRANTALL that downloads MEVADE/SEFNIT as discussed in this paper. When users open this via mobile devices, it will only redirect to an advertising site.


    Figure 4. Screenshot of the Facebook post that takes advantage of the MH17 news



    Figure 5. Screenshot of the page that users see when they accessed the URL


    As of posting,Trend Micro has already informed Facebook and they have suspended all-related accounts.

    Posted in Bad Sites, Malware | Comments Off on Cybercriminals Hitchhike on the News of MH17 Crash

    11:56 am (UTC-7)   |    by


    Monitoring the cybercriminal underground sometimes leads us down some interesting paths. We recently encountered a cybercriminal posting in a Russian underground forum which led to the discovery of more than 136,000 stolen credit card credentials.

    Help in all the wrong places

    The trail started with the following post on a Russian underground forum.

    Figure 1. Post in underground forum (click to enlarge)

    The post from user acmpassagens asking for help with the well-known Virtual Skimmer point-of-sale (PoS) malware family was not particularly unusual. However, two things stood out: first of all, the post, despite being written in Russian, was not written by a native speaker. The sentence construction did not look right. The poster also claimed that he had access to more than 400 PoS terminals in gas stations and shops… in Brazil. This was a user from Brazil asking questions in a Russian underground forum.

    As part of his post, acmpassagens left both his e-mail address ( and Skype address (acmpassagens). Together with his username, one can follow some of this person’s other online activities. For example, on an official Microsoft forum, he replied to a question about credit card readers with a post offering to sell software:

    Figure 2. Post on Microsoft Developer Network (MSDN)

    Videos related to card-skimming contained his e-mail address so curious viewers who wanted to “join the business” could contact him directly as well.

    Figure 3. Youtube video

    However, initially there didn’t appear to be anything online that could help us uncover the identity of acmpassagens. We were able to obtain some of the e-mail addresses he used, as well as two of his Skype accounts: acmpassagens and _brenosk815

    However, just before we were about to set this case aside, diligent Google searching led to an incredible jackpot: an account used by acmpassagens on the online file storage service 4shared. Moreover, all of the contents of his account – all 1GB of it – were open for anybody with Internet access to see, without the need for a user name or password.

    Figures 4 and 5. Publicly available 4shared account

    What was in this account?

    The files in the 4shared account contained what appeared to be a log of the cybercrime activities that acmpassagens had carried out. It contained malware, phishing templates, and various documents with what appeared to be the personal information of cybercriminals, accomplices, and victims.

    First, who is acmpassagens? According to the account, he is a Brazilian national named Breno Franco. He describes himself as a “businessman”, with an official address in Salvador, the eighth most populous city in Brazil. There were also multiple pictures of himself on the account:

    Figure 6. Picture of Breno Franco

    Mr. Franco used multiple addresses to communicate with others:


    In addition to this, there was ample information relating to Mr. Franco’s money mules. We found various documents including Visa card slips and printouts of bank account statements.

    Figure 7. Scanned identity card

    Some of these documents may not be authentic. However, there also appeared to be private information of these mules, including scans of passports and official Brazilian identity cards (see above). It is hard to determine if these documents belong to actual people or whether the passports are fakes, since we also found Photoshop files for fake passports in 4shared. In addition, there was a recording of a VoIP call between a mule and Mr. Franco:

    Figure 8. Recorded VoIP call

    What about Mr. Franco’s cybercrime haul? In the account, we found what appeared to be 136,000 credit card numbers stored for future usage.

    Table 1. Stolen cards

    More than 107,000 of these numbers are for Visa, and more than 20,000 for MasterCard, with other networks picking up the small remainder. Visa is an official FIFA Partner, which may explain why Visa customers were frequent victims.

    The 4shared account also contained the tools that Mr. Franco may have used to carry out his attacks. There was PoS malware belonging to the Virtual Skimmer and BlackPOS families, which may have been used to carry out the attacks that Mr. Franco described in some of his posts.

    Aside from the above malicious tools, there were two other files useful in processing stolen card information. One was a file used to generate credit cards with stolen valid credit card numbers. The other is used to verify card numbers and is known as T3ST4D0R C0D3R (CC VALIDA). (Legitimate software has been abused by cybercriminals for the latter role.)

    There were also templates for various phishing sites stored inside the 4shared account. Some of these sites had been found in the wild very recently. These phishing sites took advantage of the ongoing World Cup:

    Figure 9. Phishing site

    One of these phishing templates was uploaded to the compromised site of a Brazilian restaurant and shop. The files on the said site can be grouped into two: files from around 2011, when the legitimate site was last created/modified, and 2014, when Mr. Franco took control of the site and used it to host his phishing page.


    In the past, the cybercriminal underground has operated in distinct groups. There was separate Russian underground communities, Latin American underground communities, etc. That is no longer the case: cybercriminals are now crossing borders and combining the various tools and resources available to them.

    As cybercriminals become increasingly able to work together, attacks will become truly global. Trend Micro will continue to work closely with, and support and share information with law enforcement whenever possible to bring cybercriminals to justice.


    Posted in Malware | Comments Off on Brazilians in the Russian Underground

    5:04 am (UTC-7)   |    by

    With the 2014 FIFA World Cup in Brazil about to kick off in less than a week, it should be no surprise that phishing sites have intensified their own spam campaigns targeting Brazilians as well.

    Some of these spam runs are fairly basic, as far as these go. This particular one, for example, tries to lure users with a lottery with a jackpot prize of 5 million Brazilian reais (just short of 2.2 million US dollars).

    Figure 1. Lottery phishing message

    A typical phishing attack like this consists of three stages. First, the user visits the phishing site where their information is collected. In this particular case, the stolen information includes:

    • Credit Card Number
    • CVV code
    • Month and year of card expiry
    • Name of issuing bank
    • Online banking password
    • Owner’s email address

    In the second stage, a PHP file stores all of the captured information in a text file stored on the malicious site.

    Figure 2. PHP code

    In this particular case, the text file is named CCS.TXT. In the third stage, this file is emailed to an address under the control of the attacker.

    Figure 3. Stored information

    We have found other attacks that use similar bait, although they are more obviously tied to the World Cup. Here is an example, which we first saw about a month ago:

    Figure 4. World Cup-related phishing site

    In addition to the usual information stolen in phishing attacks, the persons behind this also targeted two pieces of information that are not commonly stolen:

    • the card’s credit limit
    • the user’s Cadastro de Pessoas Físicas (CPF, or personal identification number)

    The CPF is an 11-digit identification number used to identify taxpayers (both Brazilians and resident aliens) in Brazil. Like credit cards, the CPF has a defined format and algorithm that checks if the number is valid.

    How big are these scams? Through our underground research, we were able to identify the size of the “hoard” of stolen credentials one of the cybercriminals using these attacks possessed. We believe that this particular cybercriminal has approximately 5000 credit cards available to sell at any given time. Some of these cards are identified by their network (i.e., Visa or Mastercard), while others are identified by their issuing bank (Bank of America was explicitly mentioned).

    For stolen e-mail accounts, our cybercriminal has plenty of those too. We identified more than 80,000 accounts whose credentials had been stolen. It is particularly telling that almost 83% of these credentials were for providers with domain names in the .br top-level domain. The most common domains for these stolen credentials are in the table below:

    Table 1. Distribution of stolen e-mail account credentials

    This should not be a surprise, as many of these phishing scams are explicitly targeted at users in Brazil. The first example cited here used the name of the largest payment card operator in Brazil, Cielo. The CPF, as we noted earlier, is something issued only to Brazilians or foreigners who live in the country. As is the case with other scams, spam runs are the favored way to spread these attacks to users.

    We are closely monitoring the threat actors behind some of these attacks, and will release more information in future blog posts.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events, including the 2014 FIFA World Cup.

    Posted in Bad Sites, Spam | Comments Off on Phishing Sites Intensify World Cup Campaigns

    The first quarter of the year saw cybercrime hit targets that may not have been considered worthwhile in previous quarters. Multiple Bitcoin exchanges found themselves the victims of various attacks and were forced to close shop. The most high-profile victim Mt. Gox, which had been, at one time, the leading Bitcoin exchange in the world.

    Exchanges were not the only target. With more than 12 million Bitcoins in existence – with a value of 6-8 billion US dollars – it was only a matter of time before Bitcoins were targeted for theft in the same way that real-world currencies are. Multiple malware families targeted the Bitcoin wallets of users in order to steal their contents.

    Despite the best intentions of the creators and many users of Bitcoin, its perceived anonymity and privacy has meant that many cybercriminal elements have adapted the cryptocurrency as well. For example, CryptoLocker ransomware frequently asks for payment in Bitcoin. In many cybercrime marketplaces, underground tools are also bought and sold with Bitcoin as the form of payment.

    This shouldn’t be taken to mean that ordinary cybercrime threats have gone away. Take conventional online banking malware: it is up over the same period last year, with the United States, Japan, and India the three most affected countries.

    Figure 1. Countries Most Affected by Online Banking Malware

    Ransomware in the form of CryptoLocker also continued to affect users. As has been the case with previous ransomware threats (like the Police Trojan), CryptoLocker and similar threats have become “regional”, with variants specifically targeting users in Hungary and Turkey. Only 28% of ransomware victims are in the United States, so these tactics make perfect sense.

    Figure 2. Countries Most Affected by Ransomware

    Large-scale cybercrime threats continued as well. Multiple large-scale incidents of malware affecting point-of-sale (POS) terminals resulted in millions of credit card credentials being stolen, resulting in millions of dollars of losses. These attacks used techniques that would not be out of place in a more sophisticated targeted attack; they highlighted the importance of custom defence strategies.

    Mobile malware continued its inexorable growth, with the total number of mobile malware and high-risk apps exceeding two million. More than 647,000 apps of these were found in the first quarter alone. Adware surpassed premium service abusers in number, in part due to pushback from cellular service providers. In addition, security vulnerabilities were also found in Android that could leave users in an infinite boot loop.

    For more details about these and other security threats in the first quarter, check our security roundup titled Cybercrime Hits the Unexpected.


    4:05 am (UTC-7)   |    by

    Industry experts have previously estimated that, on average, a compromised machine remains infected for 6 weeks. However, our latest research indicates that this estimate is far from accurate. During the analysis of approximately 100 million compromised IP addresses, we identified that half of all IP addresses were infected for at least 300 days. That percentage rises to eighty percent if the minimum time is reduced to a month. This data can be seen graphically below:

    Click for larger view
    Figure 1. Infection data by country

    The news only gets worse from that point. While three-fourths of the IP addresses in our study were identified with consumer users, the remaining quarter belongs to enterprise users. Because a single IP address for these users is typically identified with a single gateway which may, in turn, be connected to multiple machines in an internal network, the actual percentage of enterprise machines affected by malware may be higher than the IP address data suggests.

    Once a machine becomes compromised, it is not unusual to find it has become part of a wider botnet. Botnets frequently cause damage in the form of malware attacks, fraud, information theft and other crimes. In 2009, virtually all malware tracked by Trend Micro experts are used by cybercriminals to steal information.

    Currently, the three most dangerous botnets in relation to information, financial and identity theft are:

    • Koobface
    • ZeuS/Zbot
    • Ilomo/Clampi

    Overall, botnets control more compromised machines than had been previously believed. Only a handful of criminals (likely a few hundred) have more than 100 million computers under their control. This means that cybercriminals have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90 percent of all e-mail worldwide is now spam.

    While there isn’t exactly a 1:1 correlation between the top ten countries with compromised machines and the top spamming countries, some correlation does exist:

    Click for larger view
    Figure 2. Compromised systems by country

    Using Koobface as an example of a typical botnet, Trend Micro threat experts have established that about 51,000 compromised machines are currently part of this particular botnet. At any time, Koobface uses 5 or 6 command and control centers (C&C) to control these compromised machines. If one C&C domain is taken down by a particular provider, the Koobface gang simply re-registers the same C&C domains with other providers. Between mid-March 2009 and mid-August Trend Micro researchers recorded around 46 Koobface C&C domains.

    In comparison, while studying the Ilomo botnet, 69 C&C domains were identified. However this number is difficult to confirm as new domains are added while others removed daily. In addition, the number of infected machines within the Ilomo botnet cannot be ascertained owing to the structure of the botnet itself.

    Trend Micro threat experts are committed to ongoing technical research and analysis. Technical reports of the Koobface and Ilomo botnets have been published and can be found in the research and analysis section of TrendWatch.

    Fortunately, new technologies are becoming available to counter these ever growing threats. The Trend Micro Smart Protection Network prevents over 1 billion threats from infecting its customers daily.

    Trend Micro uses the power of Smart Protection Network to detect and protect against infections. The Smart Protection Network is made up of 3 core areas: Email Reputation, Web Reputation and File Reputation combined with more traditional endpoint anti-spam and anti-malware protection techniques.

    Processing over 5 billion customer queries per day, the Trend Micro Smart Protection Network is a next generation cloud-client content security infrastructure designed to block threats before they reach a network. By combining in-the-cloud technologies with smaller, lighter-weight clients, users have immediate access to the latest protection.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice